DHHS POLICIES AND PROCEDURES

____________________________________________________________________________________________________________

Section VIII:	Privacy and Security
Title:	Privacy Manual
Chapter:	Administrative Policies, Privacy Official
Current Effective Date:	5/1/05
Revision History:	4/14/03
Original Effective Date:	4/14/03

____________________________________________________________________________________________________________

Purpose

This policy addresses the requirement to designate a North Carolina Department of Health and Human Services (NC DHHS) Privacy Officer and Agency Privacy Officials to serve as the primary point of contact for all privacy related issues for the department and agency, respectively. The DHHS Privacy Officer and Agency Privacy Officials will be responsible for the coordination and facilitation of compliance activities associated with departmental privacy policies. This policy also describes the overall organizational approach for oversight and adherence to DHHS privacy policies.

This policy shall apply to any of the following DHHS agencies:

• HIPAA covered health care components and
• Internal business associates

Background

The HIPAA Privacy Rule requires the designation of personnel who are responsible for the implementation of privacy policies and procedures, as well as personnel who are responsible for receiving complaints and answering questions concerning privacy.

DHHS, as a hybrid entity, must designate a privacy officer who is responsible for the coordination and implementation of all privacy and confidentiality efforts within the department. In addition, DHHS has determined that the department agencies that are defined in the purpose section of this policy must each designate a privacy official to act as the primary point of contact for the privacy of health information that is used within or disclosed outside of that agency.

Policy

DHHS and its agencies, as defined in the purpose section of this policy, shall ensure the privacy and confidentiality of that information by designating department and agency privacy officials to provide the oversight of the use and disclosure of health information.

Implementation

Responsibilities

1. Department Privacy Officer
   
   The DHHS Privacy Officer shall oversee all activities related to the development, maintenance, and adherence to department policies regarding the use and disclosure of individually identifiable health information, in accordance with state and federal laws as well as best business practices.
   
   The responsibilities of the DHHS Privacy Officer shall also include, but are not limited to, the following:
1. Act as the Department expert for issues related to privacy in the use and disclosure of health information.



2. Serve as liaison with the North Carolina Office of the Attorney General in the analysis and application of state and federal privacy laws.



3. Develop and maintain Department privacy policies related to the use and disclosure of health information.



4. Provide guidance in the implementation of health information privacy policies and procedures.



5. Provide consultation and direction regarding privacy and confidentiality of health information to agencies within the Department.



6. Coordinate privacy activities within the department.



7. Create educational awareness programs and ensure staff and extended workforce training is conducted.



8. Monitor state and federal privacy legislation.



9. Monitor DHHS compliance with DHHS privacy policies and report compliance level to management.



10. Escalate privacy issues to DHHS management as appropriate.



11. Communicate all Department expectations for privacy to Agency Privacy Officials.
2. Agency Privacy Official
   
   Agency Privacy Officials shall guide all agency activities related to adherence to DHHS privacy policies regarding the use and disclosure of individually identifiable health information, in accordance with state and federal laws, best business practices, and DHHS Privacy Officer direction.
   
   Agency Privacy Official responsibilities shall also include, but are not limited to, the following:
1. Serve as primary agency contact for privacy issues and concerns regarding the use and disclosure of health information and for client rights regarding health information.



2. Serve as the agency liaison to the DHHS Privacy Officer for privacy-related activities.



3. Coordinate and facilitate efforts to support the agency in the accomplishment of their privacy compliance activities.



4. If the DHHS agency is also a covered health care component under the HIPAA Privacy Rule (i.e., not an internal business associate), the Agency Privacy Official shall be responsible for responding to client requests for further information concerning the Notices of Privacy Practices.
3. DHHS Agencies
   
   DHHS agencies are responsible for ensuring agency compliance with department privacy policies. The following are some of the agency requirements in which the Agency Privacy Official may participate:
1. Develop procedures based on department privacy policies to ensure the protection of individually identifiable health information within the agency.



2. Implement agency privacy requirements by incorporating new privacy practices into existing business operations.



3. Ensure applicable privacy training delivery to agency staff and extended workforce.



4. Provide a designated agency contact for privacy complaints and ensure that all complaints are appropriately documented.



5. Monitor agency compliance with DHHS privacy policies.



6. Ensure appropriate use and disclosure of individually identifiable health information and client rights in regards to health information.



7. Provide reasonable privacy protections for individually identifiable health information within the agency.

Implementation Activities

The department secretary shall designate a DHHS Privacy Officer. The DHHS Privacy Officer shall maintain the list of all agency privacy officials within the department.

Each agency defined in the purpose section of this policy shall designate a staff member to serve as the agency privacy official. These designees may have other primary job functions in addition to privacy responsibilities.

Organizationally, privacy officials report to their supervisor within the agency. Agency privacy officials shall have an indirect reporting relationship to the DHHS Privacy Officer for privacy-related activities only. Upon request from the agency supervisor, the DHHS Privacy Officer shall provide input into the agency privacy official’s annual performance evaluation as applicable to privacy-related activities.

Reference:

DHHS Directive Number III-11; 45 CFR 164.530

For questions or clarification on any of the information contained in this policy, please contact DHHS Privacy Officer. For general questions about department-wide policies and procedures, contact the DHHS Policy Coordinator.